Card verification code (CVC) or card verification value (CVV) is a 3-digit pin issued with every credit and debit card, meant as an additional layer of security*. Every time customers make a transaction, they are to enter or verify the CVC/CVV code, thereby authenticating their ownership of the card. Interestingly, the CVC isn’t engraved onto the card’s surface, like the card number. This prevents it from being printout out along with other details when issuing receipts, making sure that no one but the card owner knows it.
At a time of growing credit and debit card fraud, adhering to CVC best practices is essential for consumers, and contact centres alike.
Why CVC Security is So Important Today
A recent study by the Federal Trade Commission found that there has been an alarming rise in credit card fraud in the past year. Phone scams, phishing, skimming and shimming (like skimming, but the theft is from chip cards rather than magnetic stripe cards) are some of the techniques used by fraudsters to get hold of a customer’s card details. According to the study, fraud jumped by a staggering 104% between 2019 and 2020.
If this doesn’t seem like much, keep in mind that fraud cases increased by just 27% between 2017 and 2019.
This makes CVV/CVC security protocols doubly important. At a time when so many of us rely on digital channels for daily transactions, and payment channels are more interconnected than ever, this is one piece of information that is never out of the customer’s ownership (ideally). Sellers, both online and offline, cannot store their customer’s CVV/CVC data so that even in case the seller’s database is breached, the attacker won’t have the code required to make transactions.
Now coming to the key question at hand – can contact centres store card verification codes/values? The short answer is NO.
Why Contact Centres Cannot Store CVV/CVC
Generally, merchants shouldn’t be privy to CVV/CVC information in the first place, as customers don/t have to convey this data to complete a transaction. However, in 2018, some card providers started mandating that merchants submit this code for card-not-present transactions, such as online payments where there is no physical evidence of card ownership. In such cases, the CVV/CVC is collected directly by a bank/payment website and sent to the authentication gateway without being stored by any of the entities.
In a contact centre environment, customers might want to complete transaction telephonically, which is why they might want to share their CVV/CVC for the sake of sheer convenience. However, keep in mind that this is forbidden as per PCI standards, as it disallows companies from storing CVC as well as magnetic stripe information. Therefore, it is advisable to complete telephonic transactions via online channels, wire transfer links, etc. instead of collecting CVV data from the customer.
*CVC is also called CVV2, CVC2, or Personal Security Code, comprising 3 or 4 digits depending on the card provider – but the same rules apply.
